05-09-2023 12:53 AM
Hi,
have trouble with an CBS350 stack and some WLAN APs.
According to the log, the port fi2/0/42 was "suspended by acl-deny".
Two questions:
- Why did the firmware suspend the port, even where are no errors logged?
- Why did the firmware suspend the port, even "acl-deny Disable"?
Is there any way to understand, how this think works?
Thanks a lot
Henri
sh ver
Active-image: flash://system/images/image_cbs_ros_3.2.1.1_release_cisco_signed.bin
Version: 3.2.1.1
MD5 Digest: 937212ebf51de43330b6f7967a7445ae
Date: 13-Feb-2023
Time: 01:12:59
switch3#sh errdisable rec
Timer interval: 300 Seconds
Reason Automatic Recovery
---------------------- ------------------
loopback_detection Enable
port-security Disable
dot1x-src-address Disable
acl-deny Disable
stp-bpdu-guard Disable
stp-loopback-guard Disable
udld Enable
storm-control Enable
link-flapping Enable
untitled text 94:97: 09-May-2023 10:16:13 :%SEC-I-PORTAUTHORIZED: Port fi2/0/42 is Authorized
untitled text 94:99: 09-May-2023 10:15:48 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding
untitled text 94:107: 09-May-2023 10:15:43 :%SEC-W-PORTUNAUTHORIZED: Port fi2/0/42 is unAuthorized
untitled text 94:109: 09-May-2023 10:15:43 :%LINK-I-Up: fi2/0/42
untitled text 94:343: 08-May-2023 11:00:56 :%LINK-W-Down: fi2/0/42
untitled text 94:345: 08-May-2023 11:00:56 :%LINK-W-PORT_SUSPENDED: Port fi2/0/42 suspended by acl-deny
untitled text 94:517: 07-May-2023 13:39:24 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding
untitled text 94:519: 07-May-2023 13:39:20 :%LINK-I-Up: fi2/0/42
untitled text 94:521: 07-May-2023 13:39:14 :%LINK-W-Down: fi2/0/42
untitled text 94:523: 07-May-2023 13:39:10 :%LINK-I-Up: fi2/0/42
untitled text 94:525: 07-May-2023 13:39:08 :%LINK-W-Down: fi2/0/42
untitled text 94:527: 07-May-2023 13:39:05 :%LINK-I-Up: fi2/0/42
untitled text 94:529: 07-May-2023 13:39:00 :%LINK-W-Down: fi2/0/42
untitled text 94:605: 07-May-2023 03:21:25 :%SEC-I-PORTAUTHORIZED: Port fi2/0/42 is Authorized
untitled text 94:625: 07-May-2023 03:21:17 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding
untitled text 94:644: 07-May-2023 03:21:08 :%SEC-W-PORTUNAUTHORIZED: Port fi2/0/42 is unAuthorized
untitled text 94:646: 07-May-2023 03:21:08 :%LINK-I-Up: fi2/0/42
untitled text 94:775: 07-May-2023 03:20:49 :%LINK-W-Down: fi2/0/42
untitled text 94:938: 07-May-2023 03:18:25 :%LINK-W-Not Present: fi2/0/42
untitled text 94:1390: 05-May-2023 00:22:28 :%STP-W-PORTSTATUS: fi2/0/42: STP status Forwarding
switch3#sh int count fi2/0/42
Port InUcastPkts InMcastPkts InBcastPkts InOctets
---------------- ------------ ------------ ------------ ------------
fi2/0/42 157428 62077 2607 50388306
Port OutUcastPkts OutMcastPkts OutBcastPkts OutOctets
---------------- ------------ ------------ ------------ ------------
fi2/0/42 716392 6149710 2691263 1430934600
FCS Errors: 0
Single Collision Frames: 0
Multiple Collision Frames: 0
SQE Test Errors: 0
Deferred Transmissions: 0
Late Collisions: 0
Excessive Collisions: 0
Carrier Sense Errors: 0
Oversize Packets: 0
Internal MAC Rx Errors: 0
Symbol Errors: 0
Received Pause Frames: 0
Transmitted Pause Frames: 0
05-09-2023 01:51 AM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf88738
M.
05-09-2023 03:40 AM
Hi Marce,
thanks, but ...
Conditions: unbind the ACL from port under traffic, and the ACL includes a deny ACE with an "disable-port" option.
Have here no ACLs defined.
Thanks again
Henri
05-09-2023 03:53 AM
- Try using the latest firmware for the CBS350 (stack) : check if that can help ,
M.
05-14-2023 10:02 AM
Hi Marce,
did not help.
Henri
Active-image: flash://system/images/image_cbs_ros_3.3.0.16_release_cisco_signed.bin
Version: 3.3.0.16
MD5 Digest: 7decdf94fd5999afb7b07509896c693b
Date: 23-Mar-2023
Time: 11:37:54
14-May-2023 00:19:34 :%LINK-W-Down: fi2/0/42
14-May-2023 00:19:32 :%LINK-W-PORT_SUSPENDED: Port fi2/0/42 suspended by acl-deny
06-27-2023 05:59 AM
It happens again and again....
2023-Jun-27 07:00:19
%LINK-W-PORT_SUSPENDED: Port fi2/0/44 suspended by acl-deny
07-04-2023 12:35 AM
11-26-2024 07:09 PM
Just happened to me as well. I have no ACLs set on the switch. The stack disabled two ports for ACL Deny. Oddly enough, one of the ports that got shutdown was vacant and has never had anything plugged into it. Running firmware 3.4.0.17.
12-04-2024 12:01 AM - edited 12-09-2024 11:45 PM
I have a couple of questions regarding this issue:
Why did the firmware suspend the port when there are no other errors logged?
Why was the port suspended even when the "acl-deny Disable" command is configured?
I am trying to understand how this behavior works and would appreciate any insights or explanations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide